Where does the space go? A log collector is deployed with 4 1TB disk pairs. The GUI reports 3.23 TB of total space that can be allocated via quota. Various CLI commands show different values from the GUI. What is going on here? How much space do you actually have for logs?

Overview
SSL decryption gives the Palo Alto Networks firewall the ability to see inside of secure HTTP traffic that would otherwise be hidden. SSL decryption can be used to monitor for any signs that a company's valuable intellectual property might be exiting through their network. Palo Alto Networks firewall is able to perform SSL decryption by opening up SSL traffic through an inspection process.
The following table provides a list of valuable resources on understanding and configuring SSL Decryption:
TITLE
DESCRIPTION
TYPE
BASIC
How to implement and test SSL decryption
Describes how to implement and test SSL decryption
Document
Limitations and recommendations while implementing SSL decryption
Limitations and recommendations while implementing SSL decryption
Document
How to view SSL decryption information from the CLI
How to view SSL decryption information from the CLI
Document
List of applications excluded from SSL decryption
List of applications that cannot be decrypted by the Palo Alto Networks device
Document
How to exclude a URL from SSL decryption
Details the CLI commands for adding URLs to the SSL exclude list
Document
SSL decryption certificates
How to manage SSL certificates for decrypting and inspecting SSL traffic
Document
How to temporarily disable SSL decryption
How to temporarily disable SSL decryption without modifying the decryption policy
Document
How to enable/reset the opt-out page for SSL decryption
How to enable the opt-out response page
Document
How to serve a URL response page over an HTTPS session without SSL decryption
How to configure a device to serve a URL response page over an HTTPS session w/o SSL decryption
Document
Difference between SSL forward-proxy and inbound inspection decryption mode
SSL forward-proxy and SSL inbound inspection modes
Document
How to create a report that includes only SSL decrypted traffic
Create a report that includes only SSL decrypted traffic
Document
How to view decrypted traffic
View decrypted traffic
Document
INTERMEDIATE
How to configure a decrypt mirror port on PAN-OS 6.0
Create a copy of decrypted traffic and send to a mirror port
Document
ADVANCED / TROUBLESHOOTING
Troubleshooting SSL Decryption using Dynamic Address Groups
Automation example using the Palo Alto Networks firewall and Dynamic Address Groups (DAGs)
Document
How to identify root cause for SSL decryption failure issues
How to identify decryption failures due to an unsupported cipher suite
Document
SSL vulnerability non-detection behavior is seen when inbound SSL decryption policy is set
Detection of SSL relevant vulnerability by the security profile failed
Document
Troubleshooting slowness with traffic, management, or intermittent SSL decryption
Troubleshooting intermittent SSL decryption
Document
SSL decryption not working due to unsupported cipher suites
After configuration and import of required certificates the inbound SSL decryption is not working
Document
Unable to post pictures on Facebook after enabling SSL decryption
After SSL decryption is enabled, user cannot connect to Facebook using HTTPs
Document
After configuring SSL decryption Mozilla Firefox presents certificate error
SSL decryption on Mozilla Firefox showing certificate error
Document
SSL decryption policy is decrypting traffic for no-decrypt rules
SSL Decryption policy is decrypting traffic for No-Decrypt Rules
Document
SSL decryption rules not matching FQDN
SSL decryption rules not matching FQDN
Document
Google services do not work in Chrome with SSL decryption
Google not working in Chrome with SSL Decryption
Document
Commit error received after configuring SSL decryption for certificate generation
Configuring SSL decryption - commit fails after generating a certificate error
Document
Inbound SSL decryption fails when SSL compression is enabled
Inbound SSL decryption fails
Document
SSL decryption stops working on Firefox after changing SSL decryption certificate
After changing the SSL Decryption certificate, SSL decryption does not work for the Firefox browser
Document
SSL decryption opt-out timeout
Display the opt-out page more frequently
Document
Wrong certificate used when SSL decryption is enabled
Untrusted certificate presented when performing SSL Decryption
Document
Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list

Issue:
SSL inbound policies worked ok when configured on 7.1 but after upgrading to 8.0, the sessions would fail and the logs show decrypt errors. This is seen when the server uses a certificate with an intermediate certificate in the chain.
Cause:
Prior to PAN-OS 8.0, inbound inspection was completely passive. In 8.0, with ECC and DHE support it takes a more active role.
Confirmation:
A packet capture on the firewall will confirm if the firewall is sending the full certificate chain or only the server certificate to the client. Check the Server hello packet which includes the certificates and if only the server certificate is sent, this may be the cause.
Fix:
Re-import of the certificate from your web server to the firewall, make sure you're combining the server cert with the intermediate CA (not the root CA though).
Here are the steps to do so:
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523
Additional information:
https://live.paloaltonetworks.com/t5/General-Topics/Panos-8-inbound-ssl-inspection/m-p/183289

This article discusses how PAN-OS can leverage the SNI (Server Name Indication) field to create a custom application.
What is SNI (Server Name Indication) ?
SNI is an extension to the SSL/TLS protocol that indicates what hostname the client is attempting to connect to. SNI inserts the requested hostname (website address) within the TLS handshake (the browser sends it as part of ‘Client Hello’), enabling the server to determine the most appropriate SSL certificate to present to the browser.
When to use SNI to create custom applications
In cases where the SNI field is consistent, it can be reliably used to identify the application.
A custom application can be defined and used to control the SSL traffic without the need for SSL decryption.
Example of creating a custom application
The following example shows how to create a custom application for YouTube where the SNI field is seen as www.youtube.com (as an example only).
Analyze the traffic for consistency of the SNI field in the Client Hello:
Navigate to Objects > Application > Add.
1. Define the general properties of the application:
2. Define the port and protocol as TCP and 443 respectively, since SSL uses protocol TCP and port 443 for communication.
Define the other Timeout settings as required:
3. The last and the most important part of application definition is to select the context as 'ssl-req-client-hello' and define the required pattern as seen in the client hello SNI field:
Note:
We recommend analyzing the traffic thoroughly before creating an application signature to ensure reliability of the custom application.
It is possible for the same web service to use different SNIs on different occasions, hence all possibilities must take that into consideration.
The SNI field uses the hostname the client is attempting to connect to the server, hence any change in the request from the client may cease to match custom application.

This article shows how to fix the problem of web browsing that fails with an error code SSL_ERROR_RX_RECORD_TOO_LONG. We'll use an example of facebook.com.
Cause
Errror code: "SSL_ERROR_RX_RECORD_TOO_LONG" means the web server is sending non-secure (HTTP) data where secure (HTTPS) data is expected by the web browser.
Details
Security policy on the firewall: (refers to URL filtering profile facebook test)
URL Filtering profile on firewall: (social-networking category has action of continue)
With an action of continue on the URL category, the firewall will send a redirect message to the client to prompt users to click Continue to proceed to the web page, as follows:
This Continue redirect message sent by the firewall is an HTTP response:
Note: This redirect message shows the URL category and the security policy rule matched by this traffic.
When browsing to www.facebook.com, the browser makes a request for https://www.facebook.com, as below:
In this case, the firewall sending an HTTP redirect message for continue is treated as an invalid response by the browser and it shows an error, SSL_ERROR_RX_RECORD_TOO_LONG.
Solution
Either of the two solutions offered can overcome this issue:
Enable outbound SSL decryption on the firewall. For more information on how to enable SSL decryption on firewall, please click here
OR
Run the following command on the firewall. This will allow the SSL handshake to complete before sending an HTTP response page to the client. For more information about this command, please click here.
# set deviceconfig setting ssl-decrypt url-proxy yes

Symptoms Google Drive access works using Google Chrome browser based on the cached session.
Scenario
End host has accessed Google Drive or is logged in to the account from home, but when the laptop is enrolled on the office network, the firewall is not able to identify and block the cached session.
Diagnosis When someone is accessing Google Drive via Chrome, we see at least 3 sessions:
google-base (google.com, client.google.com, gstatic.com, etc) (appid 2075)
covers others (main page, navigating, listing, etc).
google-drive-web (drive.google.com) (appid 1596)
this covers login
google-docs-base (docs.google.com) (appid 635)
covers downloading and editing functionality
Solution Even blocking Google Drive based on the URL category will not help, blocking online-personal-storage (drive.google.com, docs.google.com) will not block listing and navigating.
For blocking to work successfully, blocking google-drive is not enough. We also need to block google-docs.
We can further customize the requirements of the customer to allow users to access google-drive but block uploads and downloads.
The google-docs application is made of other sub-applications listed below. The app names explain their functions:
google-docs-base
google-docs-editing
google-docs-enterprise
google-docs-uploading
Note: We will need to have decryption in place for the above functions to work. We should especially decrypt the 'search-engine' category along with the following url's drive.google.com, *.google.com, *.googleusercontent.com, and *.gstatic.com
A screenshot of adding a security policy to allow access to google-drive but deny downloads or editing, and just allow uploading files.
Dependent Issue
Enabling decryption for search-engine might trigger a safe search enforcement from the the url category, which will break the ability to search from the address bar of the Chrome browser.
The search made from the address bar does not include the string " safe=active" when searching, this is seen only when using Google as a default search engine.
As a workaround, we can use the following custom search engine (make it default ) in the Chrome settings:
{google:baseURL}search?q=%s&safe=active
The screen shot is attached for reference.

Overview
Consider the following custom application and application override rule. We have configured a custom application for TCP ports 80 and 443. Application override is happening for traffic to port 80,443 from DMZ to L3-Untrust.
Consider the following decryption rule: Here we are decrypting all traffic coming from DMZ going to L3-Untrust.
If you try to access some https website you will find that the traffic is not being decrypted because of the application override, even if you are doing decryption for everything.
When application override is configured, the Palo Alto Networks firewall stops processing at Layer 4.

Symptoms With Inbound SSL decryption is enabled for server example.com, the system logs show:
reverse proxy key example.com doesn't match certificate issued to example1.com
Diagnosis The above error indicates that the server certificate, including its private key, which was imported into the device for enabling inbound SSL decryption, does not match the certificate presented by the server. In this case, the server presented a certificate with name example1.com.
Solution To verify this behavior:
Take a packet capture on the client or the firewall for the entire transaction: How to Run a Packet Capture
Find the packet which contains the SSL handshake message “Certificate” (Coming from Server to Client)
Expand the packet, locate the certificate/s and take a note of the serialNumber of the Server Certificate.
Or you can right click on the certificate that you want and select on Export selected packet bytes and then save it with a name.
Match the serial number and validity in this certificate with the serial number/ validity of the certificate loaded into the firewall and used in the decryption policy.
NOTE:
If you are hosting multiple servers on the same machine 1.2.3.4 (same IP), then make sure that the SSL decryption policies are not configured with IP address as match condition.
For example:
SSL Decryption Policy 1
Source : Any
Destination : 1.2.3.4
Service : service-https
Action : Decrypt with certificate example.com
SSL Decryption Policy 2
Source : Any
Destination : 1.2.3.4
Service : service-https
Action : Decrypt with certificate example1.com
In this case, if a traffic comes for example1.com, when SSL decryption policy will be looked up, it will always match the first policy, even though the policy is binded to Certificate with hostname as example.com. The certificate is not a valid match condition for firewall for policy lookup.
Thereby when the example1.com will present its certificate it will not match with the certificate loaded which is for example.com
Resolution
To avoid this situation, create custom URL categories for each URL and use them in the match conditions.
SSL Decryption Policy 1
Source : Any
Destination : 1.2.3.4
Service : service-https
URL Category: Category_Example (contains example.com)
Action : Decrypt with certificate example.com
SSL Decryption Policy 2
Source : Any
Destination : 1.2.3.4
Service : service-https
URL Category: Category_Example1 (contains example1.com)
Action : Decrypt with certificate example1.com

Symptoms Some SSL websites are not opening even after the URL has been included in ssl-exclude-cert, despite following instructions in How to Exclude a Site from SSL Decryption
The websites' failure to open holds true for implicitly excluded URLs provided by Palo Alto Networks in List of Applications Excluded from SSL Decryption
Diagnosis If a URL category is included in the Decryption Rules, when the traffic for a website matching that URL category hits for the first time on the device, even if that website is excluded from Decryption using SSL-Exclude-Certificate settings, the firewall will not skip decryption based on SNI (Server Name Indication) included in Client Hello Packet.
The firewall still does a forward proxy for the connection, and sends a list of Supported Cipher Suites to the server.
If the server accepts the Client Hello proposed by the firewall, and sends a Server Hello / Certificate, the firewall then inspects the Server Certificate for the Common name and matches it against the configured SSL Exclude Certificate Settings. If it matches, then Server address and TCP port are added to the exclude cache for the particular rule they match. This exclude cache is then used for future connections matching the same parameters and will cause the firewall to even skip the proxy.
In case the server does not support the Cipher Suites send (overwritten) by the firewall, the Server might send an SSL error message or just send a TCP RST to the connection.
Solution
If the firewall is sending cipher suites that are unsupported by the Server, even after including the certificate in the SSL-Exclude-Certificate settings, then perform the following steps to resolve this issue.
Inside Objects > URL Category, click Add to create a new custom URL Category - ex ExcludeSSLdescryption, then add the URLs inside this category that you do not want decrypted.
Inside Policies > Decryption, Create a No-Decrypt rule above the SSL decryption rule which is being used for decrypting the rest of the traffic. Place the newly created URL Category - ExcludeSSLdescryption in the URL Category. This way, the traffic for the URL Category will be excluded from the decryption policy.
Commit this change for it to take effect.

If a website or destination only supports ECDHE SSL ciphers, then SSL decryption forward proxy will not work.
This is attributed to the unsupported ECDHE cipher suites, which is not supported for the forward proxy feature.
Let's take a look how the SSL decryption forward proxy feature handles unsupported SSL ECDHE cipher suites.
The client sends an SSL hello to the website or destination host. T he client hello includes all the SSL cipher suites it supports, which include the ECDHE cipher suites. The Palo Alto Networks firewall intercepts the client hello packet, selects the supported ciphers from this list (removing the ECDHE ones), re-crafts the SSL client hello and proxies it to the website.
The website or destination host replies with an SSL HANDSHAKE failure: error code 40- unsupported ciphers, if the wesbite does not support non-ECDHE ciphers.
The packet containing 'SSL HANDSHAKE failure: error code 40- unsupported ciphers' is the trigger for the Palo Alto Networks firewall to know that the website or destination host does not support the proposed SSL cipher suites. The Palo Alto Networks firewall gives up decryption for this website and populates its 'ssl-decrypt exclude cache.'
From now on, the Palo Alto Networks firewall will not proxy any subsequent connections to this website or destination host.
The lifetime of the SSL decrypt exclude cache is 12 hours. It persists as long as there's no change made to the decryption policy.
On collecting another packet capture on the firewall in the received and transmit stage and comparing them you can see that SSL ciphers proposed in the client hello, by the actual client machine behind the Palo Alto Networks firewall and the one relayed by the firewall are the same. Thereby SSL decryption forward proxy is bypassed.
Beginning PAN-OS 7.0.1 and onwards
SSLv3 is the minimum version of SSL protocol that is supported. It is not supported in FIPS mode though.
SSL decrypt excludes cache functions in tandem as per the configured parameters.
The server URL/IP, App and decryption profile are put in exclude cache if: Decryption mode is SSL Forward Proxy "Block sessions with unsupported version" and "Block sessions with unsupported cipher suites" are unchecked. The failure is because of the server side, rather than the client side.
It's either in the server hello or in an alert from the server.
For example: PA-VM> show system setting ssl-decrypt exclude-cache
VSYS SERVER APP TIMEOUT REASON DECRYPTED_APP PROFILE 1 91.185.164.129:443 ssl 43186 SSL_UNSUPPORTED undecided Decrypt Stream
In the above output from the command line of the Palo Alto Networks firewall: VSYS: 1 is the id of the default virtual system 1 (vsys1) SERVER: 91.185.164.129 is the IP address of the website / destination host
APP: ssl, reflects the ssl application
TIMEOUT: 43186 is the lifetime of the cached entry in seconds. The maximum cache lifetime is 12 hours or 43200 secs REASON-- SSL_UNSUPPORTED: implies unsupported ssl cipher suites and hence an entry in the exclude cache DECRYPTED_APP: undecided, as the website wasn't decrypted so the firewall doesn't know the underlying application
PROFILE: Decrypt Stream is the name of the decryption profile, which is referenced in the ssl decryption policy.
The cache can be cleared using the following CLI options: PA-VM> debug dataplane reset ssl-decrypt exclude-cache + application application + server server address and port For example: debug dataplane reset ssl-decrypt exclude-cache application ssl server 91.185.164.129:443
Please refer to the PAN-OS new features guide for the enhancements made to SSL decryption feature for more information. New Features Guide
Read this article for more information about unsupported ssl cipher suits:
Unsupported SSL cipher suites for Decryption

Overview
The following table provides a list of valuable resources on configuring and troubleshooting App-ID:
TITLE
TYPE
Configuration
Not-applicable, incomplete, insufficient data in the application field
Document
Tips & Tricks: How to create an application override
Document
How to create an application filter to block high-risk applications
Document
How to check if an application needs explicitly-allowed dependency apps
Document
How to configure the 'sip-trunk' App-ID
Document
How to configure a custom App-ID
Video
App-IDs for SSL-Secured versions of well-known services
Document
How to request a new App-ID
Document
Demonstration of Google SafeSearch custom App-ID
Video
How to create an application override for FTP
Document
Tips & Tricks: What is application dependency?
Document
What is the APP-ID for Palo Alto Networks updates?
Document
Troubleshooting
How to validate and report application misidentification
Document
List of Applications Excluded from SSL Decryption
Document
How to clear cache for App-ID, Proxy certificates, URL, and user
Document
How Palo Alto Networks identifies HTTPS applications without decryption
Document
How to verify the application name change from Unknown-tcp/udp to actual App-ID
Document
Access to external web services required by dynamic updates and WildFire
Document
How much data is necessary to recognize an application
Document
Custom App without signature not matching security rule
Document
Other Resources
App-ID Admin Guide
Guide
Applipedia
Database
Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list.
owner: ekampling

Symptoms
When trying to use a certificate for SSL decryption, the following error might appear during a commit:
Certificate 'cert_name' failed to load: parse tbs certificate not supported algorithm
Issue
This error will occur when either the encryption for that certificate is stronger than RSA 3072 or the hash is stronger than SHA 256
Resolution
Create a certificate that uses RSA 3072 and SHA 256 or lower
owner: nbilly

Issue
A user has two instances of Panorama in the production network and is preparing to turn on Panorama HA. The Panorama VM at the primary site has been cloned and brought up on the secondary site, The MAC address, serial number, and management IP address have been changed. However, the two VMs have the same HA key and get an error when attempting the HA key exchange. Is there a way to regenerate the HA key in one of these instances of Panorama?
Resolution
To regenerate the HA encryption key:
Reset the SSH keys on one of the Panorama boxes by using the following CLI command: admin@Panorama97> debug system ssh-key-reset high-availability
Resync the keys between the two Panoramas by using the SCP export/import commands: admin@Panorama97> SCP export high-availability-key + remote-port SSH port number on remote host * from from * to Destination (username@host:path) admin@Panorama97> scp import high-availability-key + remote-port SSH port number on remote host * from Source ( username@host:path )
owner: gutierrez